Re: [PATCH] wifi: carl9170: clamp command response copy to the read buffer size

[Doruk (0sec)]

Hi Christian
sorry for the dup, didn't see Tristan's version; feel free to ignore mine :)

cheers
Doruk

DORUK TAN ÖZTÜRK

Co-Founder


0sec

Universitätstrasse 33

8006 Zürich, Switzerland

www.0sec.ai | doruk@xxxxxxx | Linkedin



On Sun, 21 Jun 2026 at 10:17, Christian Lamparter <chunkeey@xxxxxxxxx> wrote:
>
> Hi,
>
> On 6/20/26 12:48 AM, Doruk Tan Ozturk wrote:
> > carl9170_cmd_callback() copies len - 4 bytes from the device command
> > response into ar->readbuf, which was allocated by the caller with
> > ar->readlen bytes. When the firmware/device returns a response whose
> > payload is larger than the requested ar->readlen, the mismatch is only
> > logged (and the device is restarted via carl9170_restart()); the code
> > then still performs the full-length memcpy(), writing past the end of
> > ar->readbuf -- an out-of-bounds write driven by an attacker-controlled
> > (malicious/compromised) carl9170 USB device.
> >
> > Clamp the copy to ar->readlen so an over-sized response can never write
> > past the caller's buffer. A response that fails the length check is
> > already discarded by the restart, so copying only the buffer-sized
> > prefix changes nothing for the valid path.
>
> This is contested territory.
> <https://lore.kernel.org/linux-wireless/26e33fea-c81e-48f4-a058-4b3bf0dc95c5@xxxxxxxxx/>
>
> Original patch (as part of a series is from Tristan Madani)
> <https://lore.kernel.org/linux-wireless/20260421134929.325662-2-tristmd@xxxxxxxxx/>
>
> Yes, I do think each came up with the patch individually. But I have no idea how
> this works with three authors / tools? Does anyone? I don't think this will get
> any better though.
>
> > Reported-by: syzbot+5c1ca6ccaa1215781cac@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Tested-by: syzbot+5c1ca6ccaa1215781cac@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=5c1ca6ccaa1215781cac
> > Fixes: a84fab3cbfdc ("carl9170: 802.11 rx/tx processing and usb backend")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Doruk Tan Ozturk <doruk@xxxxxxx>
> > ---
> > Verified with syzbot via "#syz test" against the public C reproducer
> > (Tested-by above); I do not have carl9170 hardware locally.
> >
> >   drivers/net/wireless/ath/carl9170/rx.c | 3 ++-
> >   1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c
> > index 908c4c8..897e682 100644
> > --- a/drivers/net/wireless/ath/carl9170/rx.c
> > +++ b/drivers/net/wireless/ath/carl9170/rx.c
> > @@ -150,7 +150,8 @@ static void carl9170_cmd_callback(struct ar9170 *ar, u32 len, void *buffer)
> >       spin_lock(&ar->cmd_lock);
> >       if (ar->readbuf) {
> >               if (len >= 4)
> > -                     memcpy(ar->readbuf, buffer + 4, len - 4);
> > +                     memcpy(ar->readbuf, buffer + 4,
> > +                            min_t(unsigned int, len - 4, ar->readlen));
> >
> >               ar->readbuf = NULL;
> >       }
>
> Regards,
> Christian